GDPR – Part 1: The Basics of GDPR

What is GDRP?

The General Data Protection Regulation (GDPR) replaces the current Data Protection Act (DPA) and extends the data rights of individuals. The new regulation will be enforced from 25th May 2018. Therefore, businesses should develop the required policies and procedures to protect personal data, and adopt appropriate technical and organisational measures by this date.

GDPR applies to data processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU. GDPR applies to ‘personal data’ of individuals residing in the EU or EU nationals working outside the EU. ‘Personal data’ is any information relating to an identifiable person who can be directly or indirectly identified by any data a company holds such as name, identification number, location data etc.

Should there be a breach of personal data, it is mandatory to report this breach to the Information Commissioner’s Office (ICO) and it must be done within 72 hours of first having become aware of the breach.

How can Data be collected and processed?

GDPR requires that personal data must be:

• Processed lawfully, fairly and in a transparent manner in relation to individuals.

• Collected for specified, explicit and legitimate purposes.

• Adequate, relevant and limited to what is necessary for processing

• Accurate and, where necessary, kept up to date.

• Kept in a form which permits identification of data subjects.

• Processed in a manner that ensures appropriate security of the personal data.

• If you offer an ‘information society service’ (ie, online service) to children, you may need to obtain consent from a parent or guardian to process the child’s data.

You must have a valid lawful basis in order to process personal data, which is covered under these categories:

• Consent – consent requires a positive opt-in.

• Contract – if you process personal data to fulfil your contractual obligations to a person.

• Legal obligation – if you need to process the personal data to comply with a common law.

• Public task – need to process personal data, ‘in the exercise of official authority’. This covers public functions and powers as well as public interest that are set out in law.

• Legitimate interests – use people’s data in ways they would reasonably expect and which have a minimal privacy impact.

Failing to comply

Organisations can be fined up to 4% of annual global turnover for breaching GDPR or €20 million (currently equivalent to around £18 million) whichever is greater. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order or not notifying the ICO and individual about a data breach.